Configure relays

Deep Security Relays are agents where you have enabled the relay feature, which is available in Deep Security Agent 9.5 or newer for Windows and Linux (64-bit only). For details, see How do relays work?.

To configure Deep Security Relays, you will need to do the following:

  1. Determine whether you should add more relays (see Should I enable more relays?)
  2. Enable a relay.
  3. Create relay groups.
  4. Configure relay settings for security and software updates.

How do relays work?

If there were no relays, many agents might connect at the same time to Trend Micro Active Update servers or Deep Security Manager to download security updates or software, respectively. This could cause slow Internet access, increased load, and slow agent updates. With relays, one (or a few) relays download updates directly, usually through your internet connection. Then the agents on your local network download from relays. Each relay divides the agent update load, and only the local network is used.

Relays can also download security updates from an alternative update source. See Keep your security up to date.

Every relay belongs to a relay group, even if the group only has one relay. Relay groups (and not individual relays) are assigned to agents and appliances for redundancy: if a relay is offline, another relay in the group can provide updates. By default, all new relays belong to "Default Relay Group." Every Deep Security deployment needs at least one relay group so that your agents and appliances can download security updates and software, but to optimize performance, usually you should have more relays. For sizing information, see Sizing for Deep Security Relays.

Currently, once you have enabled the relay feature, you can't use Deep Security Manager to disable it. However, you can either delete and re-install the agent, or disable it using a separate tool. See Disable the relay feature on an agent.

Should I enable more relays?

Enable a relay if:

Trend Micro recommends using at least two relays for redundancy. The exact number of relays you should have varies by:

  • Redundancy requirements
  • Geographic locations
    Trend Micro recommends that agents download updates from a relay group in the same geographic region, preferably the same local network.
  • Number of protected computers (see Sizing for Deep Security Relays)
  • Number of network bottlenecks or maximum bandwidth

    A bottleneck occurs when all agents cannot quickly download updates through the same connection, such as a low bandwidth WAN connection between the agents' local network segment and a remote Deep Security Manager or Trend Micro update server. Alerts can occur if this happens. Routers, firewalls, or proxies with high system resource usage between agents and the update source can also be performance bottlenecks. To alleviate bottlenecks, put a relay inside each bottlenecked network segment.

Don't convert all of your agents to be relays because too many relays can cause a delay. A relay requires more system resources than an ordinary agent. Also, a primary relay must transmit the update to the next relay and so on before the other agents can finally download an update from their relay; each hop adds some latency. If there are too many layers of relay groups, total latency can add more time than the relays' bandwidth optimization saves. Both can decrease performance instead of improving it.

Sizing for Deep Security Relays

Number of agents Recommended number of relays
1 to 10 000 1 to 2
10 000 to 20 000 2 to 3
More than 20 000 3 to 5

The recommended number of relays depends on how many agents will need updates within a period of time. The size of the download for initial agent activation is usually between 50 to 100 MB; updates after that are usually less, between 1 and 10 MB.

For example, 50 agents might need updates in 1 hour. If there were no relay on that subnet, the maximum update bandwidth would be about 5 GB/hour, but most updates would need 50 - 500 MB/hour. By adding 1 relay on that subnet, the required bandwidth would be reduced to 100 MB/hour maximum, and 1 - 10 MB/hour usually.

In most cases, adding more relays provides faster updates. For example 2 relays are required to provide a 10 MB update to 20,000 agents in 1-2 hours, but 4 relays provides the same update in 30 minutes.

Enable a relay

Currently, once you have enabled relay functionality for an agent, you can't disable it from the Deep Security Manager. However, you can either delete and re-install the agent, or disable the relay feature using a separate tool. See Disable the relay feature on an agent.
  1. Install and activate agents.
  2. Go to Computers.
  3. Double-click a computer that meets Deep Security Relay system requirements.
  4. Go to Overview > Actions > Software.
  5. Click Enable Relay.

    If the Enable Relay button is not visible:
    1. Verify that the agent is activated.
    2. Verify that the agent is not already a relay.
    3. Go to Administration > Updates > Software > Local and verify that the corresponding package has been imported.
    4. Verify that the computer is running a 64-bit version of the agent software.

    The computer's icon will change from an ordinary computer to a computer with a relay . To view the number of updates that the relay is ready to distribute, click the Preview icon to display the preview pane.

  6. If Windows Firewall or iptables is enabled on the computer, add a firewall rule that allows incoming connections to the relay's listening port number.
  7. If relays must connect through a proxy, see Connect agents, appliances, and relays to security updates via proxy.

    When you enable a relay, initially it is assigned to the default relay group. Continue with Create relay groups if you want to arrange relays in multiple relay groups.Newly activated relays will be automatically notified by the manager to update their security update content.

Create relay groups

By default, agents retrieve updates from the default relay group. To improve performance, optimize bandwidth, and have redundancy, you can create more relay groups and arrange them in hierarchies. When the agent tries to download updates, if the initial relay doesn't respond, then the agent randomly selects another member relay from the group to update from. Each agent's relay list is randomized, so each agent tries its relays in a different order. Because of that, each relay provides updates for some of the group's assigned agents.

Trend Micro recommends that agents download updates from a relay group in the same geographic region, preferably the same local network.
  1. Enable the relay feature on agents that you want to act as relays.
  2. Go to Administration > Updates > Relay Groups.
  3. Click New. In the dialog box that appears, configure the settings for the relay group and to assign relays to it:
    • On the General tab, enter a name and an optional description for the relay group. The Members section displays the relays that belong to this group.
    • On the Security Updates tab, select the source from which this relay group will download and distribute security updates: either "Primary Security Update Source", or a parent relay group.

      The Default Relay Group will always use the "Primary Security Update Source", which is usually the Trend Micro Active Update servers, but can be configured to download security updates from a local mirror. (See Configure a security update source and settings.)

      To create a relay group hierarchy, select a parent relay group. This relay group will download updates from its parent group.

      To improve performance in very large deployments, create multiple relay groups and arrange relays in a hierarchy: one or few first-level relays download updates directly from the Trend Micro Active Update servers, and then second-level relay groups download updates from the first-level group, and so on.
    • On the Proxies tab, specify the proxy server (if any) that relays must use to access the primary security update source.

      Every relay group can be configured to download security updates through a proxy server, except the default relay group. The default relay group uses the same proxy as Deep Security Manager. See Connect agents behind a proxy and Configure a proxy for anti-malware and rule updates (CLI).

      If the relay group is configured to use the Primary Security Update Source, relays will use this proxy. Otherwise, if this relay group is configured to download security updates from another relay group, relays won't use the proxy unless they can't connect to the parent relay group, and therefore are trying to connect to the Primary Security Update Source.

      In Deep Security Agent 10.0 and earlier, agents didn't have support for connections through a proxy to relays. If an application control ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or manager (this includes Deep Security as a Service), then you must either:
    • The Assigned to tab shows computers that use this relay group to download software and security updates.
  4. Repeat these steps if you need to create more relay groups.

Assign an agent to relay group

If you didn't assign the agent when you created relay groups, you can either assign an agent to a relay group manually, or you can set up a scheduled task to do this.

  1. In Deep Security Manager, go to Computers.
  2. Right click the computer and select Actions > Assign Relay Group.

    To assign multiple computers, Shift-click or Ctrl-click computers in the list, and then select Actions > Assign Relay Group.

  3. Select the relay group to use from the list, or from the Computer Details window, use Download Updates From to select the relay group.

Configure relay settings for security and software updates

Deep Security Manager provides additional settings on the Administration > System Settings > Updates page that affect how relays are used to perform security and software updates.

Security updates

  • Allow supported 8.0 and 9.0 Agents to be updated: Select this option if you require support for agents on Windows 2000, AIX, HP-UX, or Solaris. By default, Deep Security Manager does not download updates for Deep Security Agent 9.0 and earlier, because for most platforms, Deep Security Manager 10.2 does not support them (see System requirements). This reduces disk usage because older agents and appliances have a different update package format. However, those platforms do not have newer agent versions, and therefore require the older package format.
  • Download Patterns for all Regions:If you are operating in multi-tenancy mode and any of your tenants are in other regions, select this option. If this option is deselected, a relay will only download and distribute patterns for the region (locale) that Deep Security Manager was installed in.
  • Use the Primary Tenant Relay Group as my Default Relay Group (for unassigned Relays): By default, the primary tenant gives other tenants access to the its relays. This way, tenants don't need to set up their own relays. If you don't want other tenants to share the primary tenant's relays, deselect this option and create separate relays for other tenants.
    If this option is deselected, when you click Administration > Updates > Relay Groups, the relay group name will be "Default Relay Group" rather than "Primary Tenant Relay Group".
    This setting appears only if you have enabled multi-tenant mode.

For information about other security update settings, see Get and distribute security updates.

Software updates

  • The Allow Relays to download software updates from Trend Micro Download Center when Deep Security Manager is not accessible option is useful when your Deep Security Manager is in an enterprise environment and you are managing computers in a cloud environment. If you enable this option and configure a relay in the cloud, the relay will be able to get software updates directly from the Download Center, removing the need for manual software upgrades or opening port numbers into your enterprise environment from the cloud.

For information about other software update settings, see Update Deep Security software.

Disable the relay feature on an agent

If you have enabled relay functionality for an agent from the Deep Security Manager and no longer want it to function as a relay, you can downgrade it to a normal agent.

You might want to downgrade a relay-enabled agent if:

  • you are noticing communication delays because there are too many relay-enabled agents in your environment.
  • the computer where the agent is installed does not meet the minimum system requirements for relay functionality.
If you use multi-factor authentication with Deep Security Manager, you will need to temporarily disable it before proceeding. For information on how to do this, see Set up multi-factor authentication.
If you are using Deep Security as a Service, skip step 1 and go to step 2 below.
  1. Go to Administration > System Settings > Advanced in the Deep Security Manager, click Enabled - Access the WSDL at: in the SOAP Web Service API section, and click Save.

  2. Download the Disable Relay Tool: https://s3.amazonaws.com/customerscripts/Deep-Security-Disable-Relays.exe.
  3. Run the tool on any Windows computer that can communicate with the computer where the Deep Security Manager is installed.
  4. Enter the IP address and port of the Deep Security Manager and your administrator user name and password when prompted.
  5. If you are using Deep Security as a Service or a multi-tenant Deep Security Manager, you also have to enter the tenant name.
  6. Click OK when you have finished entering the information required for the tool to communicate with the Deep Security Manager.

  7. Select all of the servers with relay-enabled agents that you want to downgrade from the list retrieved by the Disable Relay Tool and click Disable Relay On Select Hosts in the lower left corner.
  8. Leave the tool open and click Refresh Relay List to monitor the progress of the downgrade. It can take up to 15 minutes to downgrade the agents on the servers you selected.
  9. After a relay-enabled agent has been downgraded to a normal agent and no longer appears in the list of servers in the Disable Relay Tool, you should remove the relay files in the following locations for that agent:
    • Windows: C:\ProgramData\Trend Micro\Deep Security Agent\relay
    • Linux: /var/opt/ds_agent/relay